From: Sasha Levin Date: Mon, 22 Aug 2022 13:27:05 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.9.326~29^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=476ff87f34c7daa192fa6346498553d507b1b3b8;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-core-add-async-signal-helpers.patch b/queue-4.14/alsa-core-add-async-signal-helpers.patch new file mode 100644 index 00000000000..25bebe0d7a5 --- /dev/null +++ b/queue-4.14/alsa-core-add-async-signal-helpers.patch @@ -0,0 +1,158 @@ +From 34810398db1427638c86dabf84f1c986bd147a4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 14:59:42 +0200 +Subject: ALSA: core: Add async signal helpers + +From: Takashi Iwai + +[ Upstream commit ef34a0ae7a2654bc9e58675e36898217fb2799d8 ] + +Currently the call of kill_fasync() from an interrupt handler might +lead to potential spin deadlocks, as spotted by syzkaller. +Unfortunately, it's not so trivial to fix this lock chain as it's +involved with the tasklist_lock that is touched in allover places. + +As a temporary workaround, this patch provides the way to defer the +async signal notification in a work. The new helper functions, +snd_fasync_helper() and snd_kill_faync() are replacements for +fasync_helper() and kill_fasync(), respectively. In addition, +snd_fasync_free() needs to be called at the destructor of the relevant +file object. + +Link: https://lore.kernel.org/r/20220728125945.29533-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/core.h | 8 ++++ + sound/core/misc.c | 94 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+) + +diff --git a/include/sound/core.h b/include/sound/core.h +index 4104a9d1001f..9d04e700b855 100644 +--- a/include/sound/core.h ++++ b/include/sound/core.h +@@ -442,4 +442,12 @@ snd_pci_quirk_lookup_id(u16 vendor, u16 device, + } + #endif + ++/* async signal helpers */ ++struct snd_fasync; ++ ++int snd_fasync_helper(int fd, struct file *file, int on, ++ struct snd_fasync **fasyncp); ++void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll); ++void snd_fasync_free(struct snd_fasync *fasync); ++ + #endif /* __SOUND_CORE_H */ +diff --git a/sound/core/misc.c b/sound/core/misc.c +index 0f818d593c9e..d100feba26b5 100644 +--- a/sound/core/misc.c ++++ b/sound/core/misc.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + + #ifdef CONFIG_SND_DEBUG +@@ -160,3 +161,96 @@ snd_pci_quirk_lookup(struct pci_dev *pci, const struct snd_pci_quirk *list) + } + EXPORT_SYMBOL(snd_pci_quirk_lookup); + #endif ++ ++/* ++ * Deferred async signal helpers ++ * ++ * Below are a few helper functions to wrap the async signal handling ++ * in the deferred work. The main purpose is to avoid the messy deadlock ++ * around tasklist_lock and co at the kill_fasync() invocation. ++ * fasync_helper() and kill_fasync() are replaced with snd_fasync_helper() ++ * and snd_kill_fasync(), respectively. In addition, snd_fasync_free() has ++ * to be called at releasing the relevant file object. ++ */ ++struct snd_fasync { ++ struct fasync_struct *fasync; ++ int signal; ++ int poll; ++ int on; ++ struct list_head list; ++}; ++ ++static DEFINE_SPINLOCK(snd_fasync_lock); ++static LIST_HEAD(snd_fasync_list); ++ ++static void snd_fasync_work_fn(struct work_struct *work) ++{ ++ struct snd_fasync *fasync; ++ ++ spin_lock_irq(&snd_fasync_lock); ++ while (!list_empty(&snd_fasync_list)) { ++ fasync = list_first_entry(&snd_fasync_list, struct snd_fasync, list); ++ list_del_init(&fasync->list); ++ spin_unlock_irq(&snd_fasync_lock); ++ if (fasync->on) ++ kill_fasync(&fasync->fasync, fasync->signal, fasync->poll); ++ spin_lock_irq(&snd_fasync_lock); ++ } ++ spin_unlock_irq(&snd_fasync_lock); ++} ++ ++static DECLARE_WORK(snd_fasync_work, snd_fasync_work_fn); ++ ++int snd_fasync_helper(int fd, struct file *file, int on, ++ struct snd_fasync **fasyncp) ++{ ++ struct snd_fasync *fasync = NULL; ++ ++ if (on) { ++ fasync = kzalloc(sizeof(*fasync), GFP_KERNEL); ++ if (!fasync) ++ return -ENOMEM; ++ INIT_LIST_HEAD(&fasync->list); ++ } ++ ++ spin_lock_irq(&snd_fasync_lock); ++ if (*fasyncp) { ++ kfree(fasync); ++ fasync = *fasyncp; ++ } else { ++ if (!fasync) { ++ spin_unlock_irq(&snd_fasync_lock); ++ return 0; ++ } ++ *fasyncp = fasync; ++ } ++ fasync->on = on; ++ spin_unlock_irq(&snd_fasync_lock); ++ return fasync_helper(fd, file, on, &fasync->fasync); ++} ++EXPORT_SYMBOL_GPL(snd_fasync_helper); ++ ++void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll) ++{ ++ unsigned long flags; ++ ++ if (!fasync || !fasync->on) ++ return; ++ spin_lock_irqsave(&snd_fasync_lock, flags); ++ fasync->signal = signal; ++ fasync->poll = poll; ++ list_move(&fasync->list, &snd_fasync_list); ++ schedule_work(&snd_fasync_work); ++ spin_unlock_irqrestore(&snd_fasync_lock, flags); ++} ++EXPORT_SYMBOL_GPL(snd_kill_fasync); ++ ++void snd_fasync_free(struct snd_fasync *fasync) ++{ ++ if (!fasync) ++ return; ++ fasync->on = 0; ++ flush_work(&snd_fasync_work); ++ kfree(fasync); ++} ++EXPORT_SYMBOL_GPL(snd_fasync_free); +-- +2.35.1 + diff --git a/queue-4.14/alsa-timer-use-deferred-fasync-helper.patch b/queue-4.14/alsa-timer-use-deferred-fasync-helper.patch new file mode 100644 index 00000000000..e8ab2f6470d --- /dev/null +++ b/queue-4.14/alsa-timer-use-deferred-fasync-helper.patch @@ -0,0 +1,83 @@ +From c36a7238c1bab0dd6cced9520af39a1bcdd0f3b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 14:59:43 +0200 +Subject: ALSA: timer: Use deferred fasync helper + +From: Takashi Iwai + +[ Upstream commit 95cc637c1afd83fb7dd3d7c8a53710488f4caf9c ] + +For avoiding the potential deadlock via kill_fasync() call, use the +new fasync helpers to defer the invocation from PCI API. Note that +it's merely a workaround. + +Reported-by: syzbot+1ee0910eca9c94f71f25@syzkaller.appspotmail.com +Reported-by: syzbot+49b10793b867871ee26f@syzkaller.appspotmail.com +Reported-by: syzbot+8285e973a41b5aa68902@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20220728125945.29533-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/timer.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index c333ceb80d5f..720d63574bfb 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -75,7 +75,7 @@ struct snd_timer_user { + unsigned int filter; + struct timespec tstamp; /* trigger tstamp */ + wait_queue_head_t qchange_sleep; +- struct fasync_struct *fasync; ++ struct snd_fasync *fasync; + struct mutex ioctl_lock; + }; + +@@ -1295,7 +1295,7 @@ static void snd_timer_user_interrupt(struct snd_timer_instance *timeri, + } + __wake: + spin_unlock(&tu->qlock); +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1332,7 +1332,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, + spin_lock_irqsave(&tu->qlock, flags); + snd_timer_user_append_to_tqueue(tu, &r1); + spin_unlock_irqrestore(&tu->qlock, flags); +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1399,7 +1399,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, + spin_unlock(&tu->qlock); + if (append == 0) + return; +- kill_fasync(&tu->fasync, SIGIO, POLL_IN); ++ snd_kill_fasync(tu->fasync, SIGIO, POLL_IN); + wake_up(&tu->qchange_sleep); + } + +@@ -1465,6 +1465,7 @@ static int snd_timer_user_release(struct inode *inode, struct file *file) + if (tu->timeri) + snd_timer_close(tu->timeri); + mutex_unlock(&tu->ioctl_lock); ++ snd_fasync_free(tu->fasync); + kfree(tu->queue); + kfree(tu->tqueue); + kfree(tu); +@@ -2017,7 +2018,7 @@ static int snd_timer_user_fasync(int fd, struct file * file, int on) + struct snd_timer_user *tu; + + tu = file->private_data; +- return fasync_helper(fd, file, on, &tu->fasync); ++ return snd_fasync_helper(fd, file, on, &tu->fasync); + } + + static ssize_t snd_timer_user_read(struct file *file, char __user *buffer, +-- +2.35.1 + diff --git a/queue-4.14/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch b/queue-4.14/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch new file mode 100644 index 00000000000..bce041438db --- /dev/null +++ b/queue-4.14/clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch @@ -0,0 +1,85 @@ +From baf9ebfd53e6d08925684137259cc55625a9a336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 23:00:47 +0200 +Subject: clk: qcom: ipq8074: dont disable gcc_sleep_clk_src + +From: Robert Marko + +[ Upstream commit 1bf7305e79aab095196131bdc87a97796e0e3fac ] + +Once the usb sleep clocks are disabled, clock framework is trying to +disable the sleep clock source also. + +However, it seems that it cannot be disabled and trying to do so produces: +[ 245.436390] ------------[ cut here ]------------ +[ 245.441233] gcc_sleep_clk_src status stuck at 'on' +[ 245.441254] WARNING: CPU: 2 PID: 223 at clk_branch_wait+0x130/0x140 +[ 245.450435] Modules linked in: xhci_plat_hcd xhci_hcd dwc3 dwc3_qcom leds_gpio +[ 245.456601] CPU: 2 PID: 223 Comm: sh Not tainted 5.18.0-rc4 #215 +[ 245.463889] Hardware name: Xiaomi AX9000 (DT) +[ 245.470050] pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 245.474307] pc : clk_branch_wait+0x130/0x140 +[ 245.481073] lr : clk_branch_wait+0x130/0x140 +[ 245.485588] sp : ffffffc009f2bad0 +[ 245.489838] x29: ffffffc009f2bad0 x28: ffffff8003e6c800 x27: 0000000000000000 +[ 245.493057] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800226ef20 +[ 245.500175] x23: ffffffc0089ff550 x22: 0000000000000000 x21: ffffffc008476ad0 +[ 245.507294] x20: 0000000000000000 x19: ffffffc00965ac70 x18: fffffffffffc51a7 +[ 245.514413] x17: 68702e3030303837 x16: 3a6d726f6674616c x15: ffffffc089f2b777 +[ 245.521531] x14: ffffffc0095c9d18 x13: 0000000000000129 x12: 0000000000000129 +[ 245.528649] x11: 00000000ffffffea x10: ffffffc009621d18 x9 : 0000000000000001 +[ 245.535767] x8 : 0000000000000001 x7 : 0000000000017fe8 x6 : 0000000000000001 +[ 245.542885] x5 : ffffff803fdca6d8 x4 : 0000000000000000 x3 : 0000000000000027 +[ 245.550002] x2 : 0000000000000027 x1 : 0000000000000023 x0 : 0000000000000026 +[ 245.557122] Call trace: +[ 245.564229] clk_branch_wait+0x130/0x140 +[ 245.566490] clk_branch2_disable+0x2c/0x40 +[ 245.570656] clk_core_disable+0x60/0xb0 +[ 245.574561] clk_core_disable+0x68/0xb0 +[ 245.578293] clk_disable+0x30/0x50 +[ 245.582113] dwc3_qcom_remove+0x60/0xc0 [dwc3_qcom] +[ 245.585588] platform_remove+0x28/0x60 +[ 245.590361] device_remove+0x4c/0x80 +[ 245.594179] device_release_driver_internal+0x1dc/0x230 +[ 245.597914] device_driver_detach+0x18/0x30 +[ 245.602861] unbind_store+0xec/0x110 +[ 245.607027] drv_attr_store+0x24/0x40 +[ 245.610847] sysfs_kf_write+0x44/0x60 +[ 245.614405] kernfs_fop_write_iter+0x128/0x1c0 +[ 245.618052] new_sync_write+0xc0/0x130 +[ 245.622391] vfs_write+0x1d4/0x2a0 +[ 245.626123] ksys_write+0x58/0xe0 +[ 245.629508] __arm64_sys_write+0x1c/0x30 +[ 245.632895] invoke_syscall.constprop.0+0x5c/0x110 +[ 245.636890] do_el0_svc+0xa0/0x150 +[ 245.641488] el0_svc+0x18/0x60 +[ 245.644872] el0t_64_sync_handler+0xa4/0x130 +[ 245.647914] el0t_64_sync+0x174/0x178 +[ 245.652340] ---[ end trace 0000000000000000 ]--- + +So, add CLK_IS_CRITICAL flag to the clock so that the kernel won't try +to disable the sleep clock. + +Signed-off-by: Robert Marko +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220515210048.483898-10-robimarko@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq8074.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-ipq8074.c b/drivers/clk/qcom/gcc-ipq8074.c +index 0f735d37690f..97a951990103 100644 +--- a/drivers/clk/qcom/gcc-ipq8074.c ++++ b/drivers/clk/qcom/gcc-ipq8074.c +@@ -139,6 +139,7 @@ static struct clk_branch gcc_sleep_clk_src = { + }, + .num_parents = 1, + .ops = &clk_branch2_ops, ++ .flags = CLK_IS_CRITICAL, + }, + }, + }; +-- +2.35.1 + diff --git a/queue-4.14/cxl-fix-a-memory-leak-in-an-error-handling-path.patch b/queue-4.14/cxl-fix-a-memory-leak-in-an-error-handling-path.patch new file mode 100644 index 00000000000..2b1f92bc5cd --- /dev/null +++ b/queue-4.14/cxl-fix-a-memory-leak-in-an-error-handling-path.patch @@ -0,0 +1,36 @@ +From e6f8799836ddf66e261e93c80f31edfabe555db4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 21:14:48 +0200 +Subject: cxl: Fix a memory leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit 3a15b45b5454da862376b5d69a4967f5c6fa1368 ] + +A bitmap_zalloc() must be balanced by a corresponding bitmap_free() in the +error handling path of afu_allocate_irqs(). + +Acked-by: Andrew Donnellan +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/ce5869418f5838187946eb6b11a52715a93ece3d.1657566849.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/irq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/cxl/irq.c b/drivers/misc/cxl/irq.c +index ce08a9f22308..0dbe78383f8f 100644 +--- a/drivers/misc/cxl/irq.c ++++ b/drivers/misc/cxl/irq.c +@@ -353,6 +353,7 @@ int afu_allocate_irqs(struct cxl_context *ctx, u32 count) + + out: + cxl_ops->release_irq_ranges(&ctx->irqs, ctx->afu->adapter); ++ bitmap_free(ctx->irq_bitmap); + afu_irq_name_free(ctx); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-4.14/drivers-md-fix-a-potential-use-after-free-bug.patch b/queue-4.14/drivers-md-fix-a-potential-use-after-free-bug.patch new file mode 100644 index 00000000000..d0ca3843aac --- /dev/null +++ b/queue-4.14/drivers-md-fix-a-potential-use-after-free-bug.patch @@ -0,0 +1,44 @@ +From 90a21c593c1c30b2263c8b952931b58e22bfadcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 19:39:19 +0800 +Subject: drivers:md:fix a potential use-after-free bug + +From: Wentao_Liang + +[ Upstream commit 104212471b1c1817b311771d817fb692af983173 ] + +In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and +may cause sh to be released. However, sh is subsequently used in lines +2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an +use-after-free bug. + +It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of +the function. + +Signed-off-by: Wentao_Liang +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 1e52443f3aca..866ba1743f9f 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2668,10 +2668,10 @@ static void raid5_end_write_request(struct bio *bi) + if (!test_and_clear_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags)) + clear_bit(R5_LOCKED, &sh->dev[i].flags); + set_bit(STRIPE_HANDLE, &sh->state); +- raid5_release_stripe(sh); + + if (sh->batch_head && sh != sh->batch_head) + raid5_release_stripe(sh->batch_head); ++ raid5_release_stripe(sh); + } + + static void raid5_error(struct mddev *mddev, struct md_rdev *rdev) +-- +2.35.1 + diff --git a/queue-4.14/drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch b/queue-4.14/drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch new file mode 100644 index 00000000000..86bea5c14d2 --- /dev/null +++ b/queue-4.14/drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch @@ -0,0 +1,46 @@ +From aa77818961b4aa5585f98e34cf5458fcbbecffe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 09:07:22 +0800 +Subject: drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() + +From: Liang He + +[ Upstream commit 91b3c8dbe898df158fd2a84675f3a284ff6666f7 ] + +In this function, there are two refcount leak bugs: +(1) when breaking out of for_each_endpoint_of_node(), we need call +the of_node_put() for the 'ep'; +(2) we should call of_node_put() for the reference returned by +of_graph_get_remote_port() when it is not used anymore. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Liang He +Acked-by: Martin Blumenstingl +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220726010722.1319416-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index 2d5f2ed3b0b2..0da33f7af654 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -136,8 +136,11 @@ static bool meson_vpu_has_available_connectors(struct device *dev) + for_each_endpoint_of_node(dev->of_node, ep) { + /* If the endpoint node exists, consider it enabled */ + remote = of_graph_get_remote_port(ep); +- if (remote) ++ if (remote) { ++ of_node_put(remote); ++ of_node_put(ep); + return true; ++ } + } + + return false; +-- +2.35.1 + diff --git a/queue-4.14/ext4-avoid-remove-directory-when-directory-is-corrup.patch b/queue-4.14/ext4-avoid-remove-directory-when-directory-is-corrup.patch new file mode 100644 index 00000000000..39c41a5d52c --- /dev/null +++ b/queue-4.14/ext4-avoid-remove-directory-when-directory-is-corrup.patch @@ -0,0 +1,43 @@ +From 8b7a38d14ec3a19bf4342b94c9a8d1c5ec72b299 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jun 2022 17:02:23 +0800 +Subject: ext4: avoid remove directory when directory is corrupted + +From: Ye Bin + +[ Upstream commit b24e77ef1c6d4dbf42749ad4903c97539cc9755a ] + +Now if check directoy entry is corrupted, ext4_empty_dir may return true +then directory will be removed when file system mounted with "errors=continue". +In order not to make things worse just return false when directory is corrupted. + +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220622090223.682234-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 4b78fa4dbcc1..e1cade9dbd30 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2820,11 +2820,8 @@ bool ext4_empty_dir(struct inode *inode) + de = (struct ext4_dir_entry_2 *) (bh->b_data + + (offset & (sb->s_blocksize - 1))); + if (ext4_check_dir_entry(inode, NULL, de, bh, +- bh->b_data, bh->b_size, offset)) { +- offset = (offset | (sb->s_blocksize - 1)) + 1; +- continue; +- } +- if (le32_to_cpu(de->inode)) { ++ bh->b_data, bh->b_size, offset) || ++ le32_to_cpu(de->inode)) { + brelse(bh); + return false; + } +-- +2.35.1 + diff --git a/queue-4.14/ext4-avoid-resizing-to-a-partial-cluster-size.patch b/queue-4.14/ext4-avoid-resizing-to-a-partial-cluster-size.patch new file mode 100644 index 00000000000..dfdb5649324 --- /dev/null +++ b/queue-4.14/ext4-avoid-resizing-to-a-partial-cluster-size.patch @@ -0,0 +1,47 @@ +From 43744a99c53981fe715f818069e4a44167bdf436 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 04:27:48 +0000 +Subject: ext4: avoid resizing to a partial cluster size + +From: Kiselev, Oleg + +[ Upstream commit 69cb8e9d8cd97cdf5e293b26d70a9dee3e35e6bd ] + +This patch avoids an attempt to resize the filesystem to an +unaligned cluster boundary. An online resize to a size that is not +integral to cluster size results in the last iteration attempting to +grow the fs by a negative amount, which trips a BUG_ON and leaves the fs +with a corrupted in-memory superblock. + +Signed-off-by: Oleg Kiselev +Link: https://lore.kernel.org/r/0E92A0AB-4F16-4F1A-94B7-702CC6504FDE@amazon.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index a50eabffa411..30b2798244fa 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1951,6 +1951,16 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + } + brelse(bh); + ++ /* ++ * For bigalloc, trim the requested size to the nearest cluster ++ * boundary to avoid creating an unusable filesystem. We do this ++ * silently, instead of returning an error, to avoid breaking ++ * callers that blindly resize the filesystem to the full size of ++ * the underlying block device. ++ */ ++ if (ext4_has_feature_bigalloc(sb)) ++ n_blocks_count &= ~((1 << EXT4_CLUSTER_BITS(sb)) - 1); ++ + retry: + o_blocks_count = ext4_blocks_count(es); + +-- +2.35.1 + diff --git a/queue-4.14/gadgetfs-ep_io-wait-until-irq-finishes.patch b/queue-4.14/gadgetfs-ep_io-wait-until-irq-finishes.patch new file mode 100644 index 00000000000..751a8b994a5 --- /dev/null +++ b/queue-4.14/gadgetfs-ep_io-wait-until-irq-finishes.patch @@ -0,0 +1,37 @@ +From 0330a405d44fe343720b98139fc6ef719bfba204 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 09:06:44 +0200 +Subject: gadgetfs: ep_io - wait until IRQ finishes + +From: Jozef Martiniak + +[ Upstream commit 04cb742d4d8f30dc2e83b46ac317eec09191c68e ] + +after usb_ep_queue() if wait_for_completion_interruptible() is +interrupted we need to wait until IRQ gets finished. + +Otherwise complete() from epio_complete() can corrupt stack. + +Signed-off-by: Jozef Martiniak +Link: https://lore.kernel.org/r/20220708070645.6130-1-jomajm@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index 53d17e1bb65a..f0f41cc8b2f1 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -365,6 +365,7 @@ ep_io (struct ep_data *epdata, void *buf, unsigned len) + spin_unlock_irq (&epdata->dev->lock); + + DBG (epdata->dev, "endpoint gone\n"); ++ wait_for_completion(&done); + epdata->status = -ENODEV; + } + } +-- +2.35.1 + diff --git a/queue-4.14/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch b/queue-4.14/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch new file mode 100644 index 00000000000..e9d83694ad3 --- /dev/null +++ b/queue-4.14/irqchip-tegra-fix-overflow-implicit-truncation-warni.patch @@ -0,0 +1,76 @@ +From 33f3bab7944827e37e46298a181713f4cdd55455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 22:14:12 +0530 +Subject: irqchip/tegra: Fix overflow implicit truncation warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sai Prakash Ranjan + +[ Upstream commit 443685992bda9bb4f8b17fc02c9f6c60e62b1461 ] + +Fix -Woverflow warnings for tegra irqchip driver which is a result +of moving arm64 custom MMIO accessor macros to asm-generic function +implementations giving a bonus type-checking now and uncovering these +overflow warnings. + +drivers/irqchip/irq-tegra.c: In function ‘tegra_ictlr_suspend’: +drivers/irqchip/irq-tegra.c:151:18: warning: large integer implicitly truncated to unsigned type [-Woverflow] + writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); + ^ + +Suggested-by: Marc Zyngier +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Arnd Bergmann +Cc: Marc Zyngier +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-tegra.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/irqchip/irq-tegra.c b/drivers/irqchip/irq-tegra.c +index 0abc0cd1c32e..1b3048ecb600 100644 +--- a/drivers/irqchip/irq-tegra.c ++++ b/drivers/irqchip/irq-tegra.c +@@ -157,10 +157,10 @@ static int tegra_ictlr_suspend(void) + lic->cop_iep[i] = readl_relaxed(ictlr + ICTLR_COP_IEP_CLASS); + + /* Disable COP interrupts */ +- writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); + + /* Disable CPU interrupts */ +- writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); + + /* Enable the wakeup sources of ictlr */ + writel_relaxed(lic->ictlr_wake_mask[i], ictlr + ICTLR_CPU_IER_SET); +@@ -181,12 +181,12 @@ static void tegra_ictlr_resume(void) + + writel_relaxed(lic->cpu_iep[i], + ictlr + ICTLR_CPU_IEP_CLASS); +- writel_relaxed(~0ul, ictlr + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_CPU_IER_CLR); + writel_relaxed(lic->cpu_ier[i], + ictlr + ICTLR_CPU_IER_SET); + writel_relaxed(lic->cop_iep[i], + ictlr + ICTLR_COP_IEP_CLASS); +- writel_relaxed(~0ul, ictlr + ICTLR_COP_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), ictlr + ICTLR_COP_IER_CLR); + writel_relaxed(lic->cop_ier[i], + ictlr + ICTLR_COP_IER_SET); + } +@@ -321,7 +321,7 @@ static int __init tegra_ictlr_init(struct device_node *node, + lic->base[i] = base; + + /* Disable all interrupts */ +- writel_relaxed(~0UL, base + ICTLR_CPU_IER_CLR); ++ writel_relaxed(GENMASK(31, 0), base + ICTLR_CPU_IER_CLR); + /* All interrupts target IRQ */ + writel_relaxed(0, base + ICTLR_CPU_IEP_CLASS); + +-- +2.35.1 + diff --git a/queue-4.14/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch b/queue-4.14/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch new file mode 100644 index 00000000000..b456fba17c0 --- /dev/null +++ b/queue-4.14/mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch @@ -0,0 +1,42 @@ +From 02389639f449d450d45af6781d0d8431b64551d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 20:41:12 +0800 +Subject: mips: cavium-octeon: Fix missing of_node_put() in + octeon2_usb_clocks_start + +From: Liang He + +[ Upstream commit 7a9f743ceead60ed454c46fbc3085ee9a79cbebb ] + +We should call of_node_put() for the reference 'uctl_node' returned by +of_get_parent() which will increase the refcount. Otherwise, there will +be a refcount leak bug. + +Signed-off-by: Liang He +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/octeon-platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/cavium-octeon/octeon-platform.c b/arch/mips/cavium-octeon/octeon-platform.c +index ed42fc27033c..f2a1c316608a 100644 +--- a/arch/mips/cavium-octeon/octeon-platform.c ++++ b/arch/mips/cavium-octeon/octeon-platform.c +@@ -86,11 +86,12 @@ static void octeon2_usb_clocks_start(struct device *dev) + "refclk-frequency", &clock_rate); + if (i) { + dev_err(dev, "No UCTL \"refclk-frequency\"\n"); ++ of_node_put(uctl_node); + goto exit; + } + i = of_property_read_string(uctl_node, + "refclk-type", &clock_type); +- ++ of_node_put(uctl_node); + if (!i && strcmp("crystal", clock_type) == 0) + is_crystal_clock = true; + } +-- +2.35.1 + diff --git a/queue-4.14/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch b/queue-4.14/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch new file mode 100644 index 00000000000..11f8634503c --- /dev/null +++ b/queue-4.14/mips-tlbex-explicitly-compare-_page_no_exec-against-.patch @@ -0,0 +1,70 @@ +From 82765b1e23321da2a59e2ac07ef03d2600e7b859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 10:59:36 -0700 +Subject: MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 + +From: Nathan Chancellor + +[ Upstream commit 74de14fe05dd6b151d73cb0c73c8ec874cbdcde6 ] + +When CONFIG_XPA is enabled, Clang warns: + + arch/mips/mm/tlbex.c:629:24: error: converting the result of '<<' to a boolean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) != 0'? [-Werror,-Wint-in-bool-context] + if (cpu_has_rixi && !!_PAGE_NO_EXEC) { + ^ + arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_PAGE_NO_EXEC' + # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) + ^ + arch/mips/mm/tlbex.c:2568:24: error: converting the result of '<<' to a boolean; did you mean '(1 << _PAGE_NO_EXEC_SHIFT) != 0'? [-Werror,-Wint-in-bool-context] + if (!cpu_has_rixi || !_PAGE_NO_EXEC) { + ^ + arch/mips/include/asm/pgtable-bits.h:174:28: note: expanded from macro '_PAGE_NO_EXEC' + # define _PAGE_NO_EXEC (1 << _PAGE_NO_EXEC_SHIFT) + ^ + 2 errors generated. + +_PAGE_NO_EXEC can be '0' or '1 << _PAGE_NO_EXEC_SHIFT' depending on the +build and runtime configuration, which is what the negation operators +are trying to convey. To silence the warning, explicitly compare against +0 so the result of the '<<' operator is not implicitly converted to a +boolean. + +According to its documentation, GCC enables -Wint-in-bool-context with +-Wall but this warning is not visible when building the same +configuration with GCC. It appears GCC only warns when compiling C++, +not C, although the documentation makes no note of this: +https://godbolt.org/z/x39q3brxf + +Reported-by: Sudip Mukherjee (Codethink) +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/tlbex.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c +index b55c74a7f7a4..82cd14e7b20d 100644 +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -634,7 +634,7 @@ static __maybe_unused void build_convert_pte_to_entrylo(u32 **p, + return; + } + +- if (cpu_has_rixi && !!_PAGE_NO_EXEC) { ++ if (cpu_has_rixi && _PAGE_NO_EXEC != 0) { + if (fill_includes_sw_bits) { + UASM_i_ROTR(p, reg, reg, ilog2(_PAGE_GLOBAL)); + } else { +@@ -2577,7 +2577,7 @@ static void check_pabits(void) + unsigned long entry; + unsigned pabits, fillbits; + +- if (!cpu_has_rixi || !_PAGE_NO_EXEC) { ++ if (!cpu_has_rixi || _PAGE_NO_EXEC == 0) { + /* + * We'll only be making use of the fact that we can rotate bits + * into the fill if the CPU supports RIXI, so don't bother +-- +2.35.1 + diff --git a/queue-4.14/pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch b/queue-4.14/pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch new file mode 100644 index 00000000000..69836199e91 --- /dev/null +++ b/queue-4.14/pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch @@ -0,0 +1,44 @@ +From 35744493eaf5825178edf3831f45fd2838cd3e0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 13:41:47 -0400 +Subject: PCI: Add ACS quirk for Broadcom BCM5750x NICs + +From: Pavan Chebbi + +[ Upstream commit afd306a65cedb9589564bdb23a0c368abc4215fd ] + +The Broadcom BCM5750x NICs may be multi-function devices. They do not +advertise ACS capability. Peer-to-peer transactions are not possible +between the individual functions, so it is safe to treat them as fully +isolated. + +Add an ACS quirk for these devices so the functions can be in independent +IOMMU groups and attached individually to userspace applications using +VFIO. + +Link: https://lore.kernel.org/r/1654796507-28610-1-git-send-email-michael.chan@broadcom.com +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 98327966e5b4..0a116359b5c7 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4760,6 +4760,9 @@ static const struct pci_dev_acs_enabled { + { PCI_VENDOR_ID_AMPERE, 0xE00C, pci_quirk_xgene_acs }, + /* Broadcom multi-function device */ + { PCI_VENDOR_ID_BROADCOM, 0x16D7, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1750, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1751, pci_quirk_mf_endpoint_acs }, ++ { PCI_VENDOR_ID_BROADCOM, 0x1752, pci_quirk_mf_endpoint_acs }, + { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs }, + { 0 } + }; +-- +2.35.1 + diff --git a/queue-4.14/powerpc-64-init-jump-labels-before-parse_early_param.patch b/queue-4.14/powerpc-64-init-jump-labels-before-parse_early_param.patch new file mode 100644 index 00000000000..96e13108863 --- /dev/null +++ b/queue-4.14/powerpc-64-init-jump-labels-before-parse_early_param.patch @@ -0,0 +1,65 @@ +From d4c450ec7e1eeb4d1f54e9f2465781781f93d4cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 09:57:47 +0800 +Subject: powerpc/64: Init jump labels before parse_early_param() + +From: Zhouyi Zhou + +[ Upstream commit ca829e05d3d4f728810cc5e4b468d9ebc7745eb3 ] + +On 64-bit, calling jump_label_init() in setup_feature_keys() is too +late because static keys may be used in subroutines of +parse_early_param() which is again subroutine of early_init_devtree(). + +For example booting with "threadirqs": + + static_key_enable_cpuslocked(): static key '0xc000000002953260' used before call to jump_label_init() + WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpuslocked+0xfc/0x120 + ... + NIP static_key_enable_cpuslocked+0xfc/0x120 + LR static_key_enable_cpuslocked+0xf8/0x120 + Call Trace: + static_key_enable_cpuslocked+0xf8/0x120 (unreliable) + static_key_enable+0x30/0x50 + setup_forced_irqthreads+0x28/0x40 + do_early_param+0xa0/0x108 + parse_args+0x290/0x4e0 + parse_early_options+0x48/0x5c + parse_early_param+0x58/0x84 + early_init_devtree+0xd4/0x518 + early_setup+0xb4/0x214 + +So call jump_label_init() just before parse_early_param() in +early_init_devtree(). + +Suggested-by: Michael Ellerman +Signed-off-by: Zhouyi Zhou +[mpe: Add call trace to change log and minor wording edits.] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220726015747.11754-1-zhouzhouyi@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index 99409d0420d2..ffc571edac28 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -710,6 +710,13 @@ void __init early_init_devtree(void *params) + of_scan_flat_dt(early_init_dt_scan_root, NULL); + of_scan_flat_dt(early_init_dt_scan_memory_ppc, NULL); + ++ /* ++ * As generic code authors expect to be able to use static keys ++ * in early_param() handlers, we initialize the static keys just ++ * before parsing early params (it's fine to call jump_label_init() ++ * more than once). ++ */ ++ jump_label_init(); + parse_early_param(); + + /* make sure we've parsed cmdline for mem= before this */ +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 263736517a1..552a27126b7 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -205,3 +205,22 @@ powerpc-pci-fix-get_phb_number-locking.patch i40e-fix-to-stop-tx_timeout-recovery-if-globr-fails.patch fec-fix-timer-capture-timing-in-fec_ptp_enable_pps.patch igb-add-lock-to-avoid-data-race.patch +drm-meson-fix-refcount-bugs-in-meson_vpu_has_availab.patch +pci-add-acs-quirk-for-broadcom-bcm5750x-nics.patch +irqchip-tegra-fix-overflow-implicit-truncation-warni.patch +usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch +clk-qcom-ipq8074-dont-disable-gcc_sleep_clk_src.patch +gadgetfs-ep_io-wait-until-irq-finishes.patch +cxl-fix-a-memory-leak-in-an-error-handling-path.patch +drivers-md-fix-a-potential-use-after-free-bug.patch +ext4-avoid-remove-directory-when-directory-is-corrup.patch +ext4-avoid-resizing-to-a-partial-cluster-size.patch +tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch +vfio-clear-the-caps-buf-to-null-after-free.patch +mips-cavium-octeon-fix-missing-of_node_put-in-octeon.patch +alsa-core-add-async-signal-helpers.patch +alsa-timer-use-deferred-fasync-helper.patch +smb3-check-xattr-value-length-earlier.patch +powerpc-64-init-jump-labels-before-parse_early_param.patch +video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch +mips-tlbex-explicitly-compare-_page_no_exec-against-.patch diff --git a/queue-4.14/smb3-check-xattr-value-length-earlier.patch b/queue-4.14/smb3-check-xattr-value-length-earlier.patch new file mode 100644 index 00000000000..384aca1f851 --- /dev/null +++ b/queue-4.14/smb3-check-xattr-value-length-earlier.patch @@ -0,0 +1,51 @@ +From 924eea06e15f79b62b943d94626a9e512d2636b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 11:43:44 -0500 +Subject: smb3: check xattr value length earlier + +From: Steve French + +[ Upstream commit 5fa2cffba0b82336a2244d941322eb1627ff787b ] + +Coverity complains about assigning a pointer based on +value length before checking that value length goes +beyond the end of the SMB. Although this is even more +unlikely as value length is a single byte, and the +pointer is not dereferenced until laterm, it is clearer +to check the lengths first. + +Addresses-Coverity: 1467704 ("Speculative execution data leak") +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 3280a801b1d7..069eb2533e7f 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -463,9 +463,7 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size, + size_t name_len, value_len, user_name_len; + + while (src_size > 0) { +- name = &src->ea_data[0]; + name_len = (size_t)src->ea_name_length; +- value = &src->ea_data[src->ea_name_length + 1]; + value_len = (size_t)le16_to_cpu(src->ea_value_length); + + if (name_len == 0) { +@@ -478,6 +476,9 @@ move_smb2_ea_to_cifs(char *dst, size_t dst_size, + goto out; + } + ++ name = &src->ea_data[0]; ++ value = &src->ea_data[src->ea_name_length + 1]; ++ + if (ea_name) { + if (ea_name_len == name_len && + memcmp(ea_name, name, name_len) == 0) { +-- +2.35.1 + diff --git a/queue-4.14/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch b/queue-4.14/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch new file mode 100644 index 00000000000..6e88283c3e3 --- /dev/null +++ b/queue-4.14/tty-serial-fix-refcount-leak-bug-in-ucc_uart.c.patch @@ -0,0 +1,38 @@ +From 7bdabffede7a92e52ba2ddbf878c4c569ae8637d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jun 2022 14:08:50 +0800 +Subject: tty: serial: Fix refcount leak bug in ucc_uart.c + +From: Liang He + +[ Upstream commit d24d7bb2cd947676f9b71fb944d045e09b8b282f ] + +In soc_info(), of_find_node_by_type() will return a node pointer +with refcount incremented. We should use of_node_put() when it is +not used anymore. + +Acked-by: Timur Tabi +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220618060850.4058525-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/ucc_uart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/ucc_uart.c b/drivers/tty/serial/ucc_uart.c +index 55b702775786..40b8e414f48f 100644 +--- a/drivers/tty/serial/ucc_uart.c ++++ b/drivers/tty/serial/ucc_uart.c +@@ -1143,6 +1143,8 @@ static unsigned int soc_info(unsigned int *rev_h, unsigned int *rev_l) + /* No compatible property, so try the name. */ + soc_string = np->name; + ++ of_node_put(np); ++ + /* Extract the SOC number from the "PowerPC," string */ + if ((sscanf(soc_string, "PowerPC,%u", &soc) != 1) || !soc) + return 0; +-- +2.35.1 + diff --git a/queue-4.14/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch b/queue-4.14/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch new file mode 100644 index 00000000000..94f646db298 --- /dev/null +++ b/queue-4.14/usb-host-ohci-ppc-of-fix-refcount-leak-bug.patch @@ -0,0 +1,37 @@ +From 4f67f0b81996fd7e5a2a476b175b6ecfd0f66e3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 11:46:37 +0800 +Subject: usb: host: ohci-ppc-of: Fix refcount leak bug + +From: Liang He + +[ Upstream commit 40a959d7042bb7711e404ad2318b30e9f92c6b9b ] + +In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return +a node pointer with refcount incremented. We should use of_node_put() +when it is not used anymore. + +Acked-by: Alan Stern +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220617034637.4003115-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-ppc-of.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/host/ohci-ppc-of.c b/drivers/usb/host/ohci-ppc-of.c +index 4f87a5c61b08..d22a70363fbf 100644 +--- a/drivers/usb/host/ohci-ppc-of.c ++++ b/drivers/usb/host/ohci-ppc-of.c +@@ -168,6 +168,7 @@ static int ohci_hcd_ppc_of_probe(struct platform_device *op) + release_mem_region(res.start, 0x4); + } else + pr_debug("%s: cannot get ehci offset from fdt\n", __FILE__); ++ of_node_put(np); + } + + irq_dispose_mapping(irq); +-- +2.35.1 + diff --git a/queue-4.14/vfio-clear-the-caps-buf-to-null-after-free.patch b/queue-4.14/vfio-clear-the-caps-buf-to-null-after-free.patch new file mode 100644 index 00000000000..eea59ab9881 --- /dev/null +++ b/queue-4.14/vfio-clear-the-caps-buf-to-null-after-free.patch @@ -0,0 +1,38 @@ +From 229b84e904461dfa0d1851fd84255691eceefb2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 10:29:48 +0800 +Subject: vfio: Clear the caps->buf to NULL after free + +From: Schspa Shi + +[ Upstream commit 6641085e8d7b3f061911517f79a2a15a0a21b97b ] + +On buffer resize failure, vfio_info_cap_add() will free the buffer, +report zero for the size, and return -ENOMEM. As additional +hardening, also clear the buffer pointer to prevent any chance of a +double free. + +Signed-off-by: Schspa Shi +Reviewed-by: Cornelia Huck +Link: https://lore.kernel.org/r/20220629022948.55608-1-schspa@gmail.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index 0d73d913c18b..747eb5c70238 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -1813,6 +1813,7 @@ struct vfio_info_cap_header *vfio_info_cap_add(struct vfio_info_cap *caps, + buf = krealloc(caps->buf, caps->size + size, GFP_KERNEL); + if (!buf) { + kfree(caps->buf); ++ caps->buf = NULL; + caps->size = 0; + return ERR_PTR(-ENOMEM); + } +-- +2.35.1 + diff --git a/queue-4.14/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch b/queue-4.14/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch new file mode 100644 index 00000000000..481839a6c67 --- /dev/null +++ b/queue-4.14/video-fbdev-i740fb-check-the-argument-of-i740_calc_v.patch @@ -0,0 +1,67 @@ +From 061972b02f066e985d110fe28bf0156977309dd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 17:24:19 +0800 +Subject: video: fbdev: i740fb: Check the argument of i740_calc_vclk() + +From: Zheyu Ma + +[ Upstream commit 40bf722f8064f50200b8c4f8946cd625b441dda9 ] + +Since the user can control the arguments of the ioctl() from the user +space, under special arguments that may result in a divide-by-zero bug. + +If the user provides an improper 'pixclock' value that makes the argumet +of i740_calc_vclk() less than 'I740_RFREQ_FIX', it will cause a +divide-by-zero bug in: + drivers/video/fbdev/i740fb.c:353 p_best = min(15, ilog2(I740_MAX_VCO_FREQ / (freq / I740_RFREQ_FIX))); + +The following log can reveal it: + +divide error: 0000 [#1] PREEMPT SMP KASAN PTI +RIP: 0010:i740_calc_vclk drivers/video/fbdev/i740fb.c:353 [inline] +RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:646 [inline] +RIP: 0010:i740fb_set_par+0x163f/0x3b70 drivers/video/fbdev/i740fb.c:742 +Call Trace: + fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 + do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 + fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 + +Fix this by checking the argument of i740_calc_vclk() first. + +Signed-off-by: Zheyu Ma +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/i740fb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c +index 7bc5f6056c77..4147a9534179 100644 +--- a/drivers/video/fbdev/i740fb.c ++++ b/drivers/video/fbdev/i740fb.c +@@ -399,7 +399,7 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, + u32 xres, right, hslen, left, xtotal; + u32 yres, lower, vslen, upper, ytotal; + u32 vxres, xoffset, vyres, yoffset; +- u32 bpp, base, dacspeed24, mem; ++ u32 bpp, base, dacspeed24, mem, freq; + u8 r7; + int i; + +@@ -641,7 +641,12 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, + par->atc[VGA_ATC_OVERSCAN] = 0; + + /* Calculate VCLK that most closely matches the requested dot clock */ +- i740_calc_vclk((((u32)1e9) / var->pixclock) * (u32)(1e3), par); ++ freq = (((u32)1e9) / var->pixclock) * (u32)(1e3); ++ if (freq < I740_RFREQ_FIX) { ++ fb_dbg(info, "invalid pixclock\n"); ++ freq = I740_RFREQ_FIX; ++ } ++ i740_calc_vclk(freq, par); + + /* Since we program the clocks ourselves, always use VCLK2. */ + par->misc |= 0x0C; +-- +2.35.1 +